Closed MH-17 closed 4 months ago
Well, I believe that current behaviour to have the component name same as project name is pretty correct. It just explicitly represents gradle project metadata in SBOM.
You can configure project name on the gradle side for root project and for any other project.
Please let me know if I'm missing something.
As default behaviour, I agree that the project name should be used as the component name. Similarly, it is also correct to use the Gradle project version as the component version in the SBOM. Nevertheless, you enable users of the plugin to override the component version to something different than the project version.
I tried to explain my edge-case above in the "Background" paragraph. I cannot set a static Gradle project name because this would prevent developers from opening multiple projects in the same Eclipse workspace. If you don't define a static project name in Gradle, it will default to the directory name. This is usually fine for Gradle builds but could result in wrong component names being written into the SBOM. In this use-case, I would like to specify a static component name in the CycloneDxTask to guarantee a correct SBOM output.
Update: I forgot to mention this, but we are setting the project.archiveBaseName
. Hence, for us we would also be happy if the component name could be switched from the project name to the archive name. If you want and could explain how you want it done, I can also contribute to this.
This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.
The component name is automatically set to the project name when the SBOM is generated. In the same manner that you can override the component version, I want to allow users to alter this component name.
Background: The same component is being customized for several projects at my company. It is the goal of the developers to open several of these projects in a single Eclipse workspace. They can only do this if their Gradle project names differ. As a result, we rely on the directory name in which the project is kept rather than having a static project name declared in our repositories. Thus far, everything is going according to plan. However, our Azure DevOps pipelines check out the code into a directory named "s", which causes SBOMs to be generated with the component name "s". Above change would allow us to define a static component name for the CycloneDxTask.
I would be willing to provide a PR for this change. Please let me know, if you would accept this change. :)